On Thu, Aug 09, 2007 at 03:54:55PM -0400, Dan McDonald wrote: > > If a re-reading of RFCs 3947/8 is needed then, why not do it? > > > > I don't think we care about keepalive drop stats, but we should know > > if we do... > > I've put in a new ipdropper (esp_nat_t_ka) to track these. I will be > treating 2 and 3 byte packets the same as 1 byte ones. (Best application of > Postel's Law.)
Yeah, you're right: one might want to know that keepalives are being received. > > - usr/src/uts/common/inet/ip/ip.c:7031,7045 > > > > I gather that ESP-in-UDP is fairly costly -- we re-compute the IP > > header checksum for what appears to be purely local purposes only, > > and we move around the ESP payload (ovbcopy(), right?). > > It's not for local purposes if you follow the bouncing packet. > ip_proto_input() does the off-the-wire check. To be fair, I need only > recompute the checksum if it's really ESP-in-UDP (vs. a zero-SPI UDP packet). That sounds "purely local" to me -- the IP hdr cksum should only be checked once, long before the ESP-in-UDP code path is ever reached. > Therefore, I'm moving the ip_csum_hdr() call into the if/else branch > specifically for ESP-in-UDP. Good catch. Nico --
